test-genie-mcp 2.0.3 → 3.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +224 -0
- package/LICENSE +21 -0
- package/README.md +292 -208
- package/SECURITY.md +150 -0
- package/dist/analyzers/performanceAnalyzer.d.ts.map +1 -1
- package/dist/analyzers/performanceAnalyzer.js +0 -3
- package/dist/analyzers/performanceAnalyzer.js.map +1 -1
- package/dist/analyzers/raceConditionAnalyzer.d.ts +39 -0
- package/dist/analyzers/raceConditionAnalyzer.d.ts.map +1 -0
- package/dist/analyzers/raceConditionAnalyzer.js +412 -0
- package/dist/analyzers/raceConditionAnalyzer.js.map +1 -0
- package/dist/analyzers/securityAnalyzer.d.ts +45 -0
- package/dist/analyzers/securityAnalyzer.d.ts.map +1 -0
- package/dist/analyzers/securityAnalyzer.js +457 -0
- package/dist/analyzers/securityAnalyzer.js.map +1 -0
- package/dist/core/mcpServerFactory.d.ts +20 -0
- package/dist/core/mcpServerFactory.d.ts.map +1 -0
- package/dist/core/mcpServerFactory.js +133 -0
- package/dist/core/mcpServerFactory.js.map +1 -0
- package/dist/core/prompts.d.ts +38 -0
- package/dist/core/prompts.d.ts.map +1 -0
- package/dist/core/prompts.js +158 -0
- package/dist/core/prompts.js.map +1 -0
- package/dist/core/resources.d.ts +47 -0
- package/dist/core/resources.d.ts.map +1 -0
- package/dist/core/resources.js +116 -0
- package/dist/core/resources.js.map +1 -0
- package/dist/core/subprocess.d.ts +66 -0
- package/dist/core/subprocess.d.ts.map +1 -0
- package/dist/core/subprocess.js +147 -0
- package/dist/core/subprocess.js.map +1 -0
- package/dist/core/syntaxValidator.d.ts +50 -0
- package/dist/core/syntaxValidator.d.ts.map +1 -0
- package/dist/core/syntaxValidator.js +296 -0
- package/dist/core/syntaxValidator.js.map +1 -0
- package/dist/core/toolRegistry.d.ts +30 -0
- package/dist/core/toolRegistry.d.ts.map +1 -0
- package/dist/core/toolRegistry.js +655 -0
- package/dist/core/toolRegistry.js.map +1 -0
- package/dist/index.d.ts +10 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +17 -670
- package/dist/index.js.map +1 -1
- package/dist/llm/index.d.ts +54 -0
- package/dist/llm/index.d.ts.map +1 -0
- package/dist/llm/index.js +190 -0
- package/dist/llm/index.js.map +1 -0
- package/dist/platforms/android/index.d.ts +2 -2
- package/dist/platforms/android/index.d.ts.map +1 -1
- package/dist/platforms/android/index.js +189 -164
- package/dist/platforms/android/index.js.map +1 -1
- package/dist/platforms/flutter/index.d.ts +1 -1
- package/dist/platforms/flutter/index.d.ts.map +1 -1
- package/dist/platforms/flutter/index.js +133 -193
- package/dist/platforms/flutter/index.js.map +1 -1
- package/dist/platforms/ios/index.d.ts.map +1 -1
- package/dist/platforms/ios/index.js +101 -102
- package/dist/platforms/ios/index.js.map +1 -1
- package/dist/platforms/react-native/index.d.ts +1 -1
- package/dist/platforms/react-native/index.d.ts.map +1 -1
- package/dist/platforms/react-native/index.js +122 -240
- package/dist/platforms/react-native/index.js.map +1 -1
- package/dist/platforms/web/index.d.ts.map +1 -1
- package/dist/platforms/web/index.js +45 -28
- package/dist/platforms/web/index.js.map +1 -1
- package/dist/security.d.ts +81 -0
- package/dist/security.d.ts.map +1 -0
- package/dist/security.js +197 -0
- package/dist/security.js.map +1 -0
- package/dist/storage/index.d.ts +35 -0
- package/dist/storage/index.d.ts.map +1 -1
- package/dist/storage/index.js +33 -1
- package/dist/storage/index.js.map +1 -1
- package/dist/tools/automation/diagnoseAutoFix.d.ts +131 -0
- package/dist/tools/automation/diagnoseAutoFix.d.ts.map +1 -0
- package/dist/tools/automation/diagnoseAutoFix.js +366 -0
- package/dist/tools/automation/diagnoseAutoFix.js.map +1 -0
- package/dist/tools/automation/diagnoseProject.d.ts +57 -0
- package/dist/tools/automation/diagnoseProject.d.ts.map +1 -0
- package/dist/tools/automation/diagnoseProject.js +399 -0
- package/dist/tools/automation/diagnoseProject.js.map +1 -0
- package/dist/tools/automation/runIterativeFixLoop.d.ts +92 -0
- package/dist/tools/automation/runIterativeFixLoop.d.ts.map +1 -0
- package/dist/tools/automation/runIterativeFixLoop.js +474 -0
- package/dist/tools/automation/runIterativeFixLoop.js.map +1 -0
- package/dist/tools/fixing/applyFix.d.ts.map +1 -1
- package/dist/tools/fixing/applyFix.js +11 -37
- package/dist/tools/fixing/applyFix.js.map +1 -1
- package/dist/tools/fixing/llmFixSuggester.d.ts +29 -0
- package/dist/tools/fixing/llmFixSuggester.d.ts.map +1 -0
- package/dist/tools/fixing/llmFixSuggester.js +128 -0
- package/dist/tools/fixing/llmFixSuggester.js.map +1 -0
- package/package.json +29 -17
package/CHANGELOG.md
ADDED
|
@@ -0,0 +1,224 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to `test-genie-mcp` are documented here.
|
|
4
|
+
|
|
5
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
|
+
|
|
8
|
+
## [3.1.1] — 2026-05-21
|
|
9
|
+
|
|
10
|
+
### Why this release exists
|
|
11
|
+
|
|
12
|
+
v3.1.0 shipped `autoFix: true` as a parameter and the README claimed
|
|
13
|
+
"pass `autoFix: true` to apply" — but the parameter was a no-op
|
|
14
|
+
pass-through. This is the honest follow-up.
|
|
15
|
+
|
|
16
|
+
### Fixed
|
|
17
|
+
|
|
18
|
+
- `diagnose_project` now **really** auto-applies fixes when
|
|
19
|
+
`autoFix: true` is passed. v3.1.0 accepted the flag but did nothing.
|
|
20
|
+
- README + Markdown summary previously advertised auto-fix capability
|
|
21
|
+
the code didn't have. The pattern tables, comparison table, and use
|
|
22
|
+
cases now reflect what actually ships.
|
|
23
|
+
|
|
24
|
+
### Added
|
|
25
|
+
|
|
26
|
+
- `src/tools/automation/diagnoseAutoFix.ts` — the real auto-fix
|
|
27
|
+
pipeline: severity floor (≥ high) → path safety → excluded segments
|
|
28
|
+
→ hard caps (`MAX_AUTOFIX_PER_RUN=5`, `MAX_FILES_PER_RUN=3`) →
|
|
29
|
+
per-fix backup → dry-run → real apply with syntax validation +
|
|
30
|
+
rollback. v3.1.1 ships strategies for **weak-hash** (md5/sha1 →
|
|
31
|
+
sha256) and **standalone `Math.random()` assignment** (→
|
|
32
|
+
`crypto.randomInt`).
|
|
33
|
+
- `tests/diagnoseAutoFix.test.ts` — 5 new tests (real weak-hash apply
|
|
34
|
+
+ backup created, `autoFix:false` no-op, cap enforcement, allowed-
|
|
35
|
+
root rejection, `node_modules/` exclusion). Total tests 110 → 115.
|
|
36
|
+
- `SAFETY.md` — every safety guard cited to its file + line in code
|
|
37
|
+
and the test that verifies it. No aspirational claims.
|
|
38
|
+
|
|
39
|
+
### Changed
|
|
40
|
+
|
|
41
|
+
- Analyzer `autoFixable` flags audited for honesty:
|
|
42
|
+
- `raceConditionAnalyzer`: `react-useeffect-no-abort` (line 137) and
|
|
43
|
+
`foreach-await` (line 165) → `false`. Structural rewrites we can't
|
|
44
|
+
prove safe.
|
|
45
|
+
- `securityAnalyzer`: `.env`-not-gitignored (line 423), `yaml.load`
|
|
46
|
+
(line 379) → `false`. No strategy shipped; honest report-only.
|
|
47
|
+
- `securityAnalyzer`: weak-hash severity now `high` when file
|
|
48
|
+
mentions password/token/auth (line 256-258); otherwise `medium`
|
|
49
|
+
(below auto-fix floor).
|
|
50
|
+
- `securityAnalyzer`: `Math.random()` `autoFixable` is now a
|
|
51
|
+
function of line shape (line 224, 238) — only `true` for
|
|
52
|
+
standalone end-of-statement matches.
|
|
53
|
+
- `SERVER_VERSION` 3.1.0 → 3.1.1.
|
|
54
|
+
- README: removed "Claude offers to apply via run_iterative_fix_loop"
|
|
55
|
+
fake claim; clarified scope of `autoFix: true` vs
|
|
56
|
+
`run_iterative_fix_loop`; auto-rollback row split into syntax
|
|
57
|
+
failure (all paths) and test regression (`run_iterative_fix_loop`
|
|
58
|
+
only).
|
|
59
|
+
|
|
60
|
+
### Backwards compatibility
|
|
61
|
+
|
|
62
|
+
- All existing 110 tests still pass without modification. The
|
|
63
|
+
`autoFix: true` parameter is the same shape — it just now actually
|
|
64
|
+
does something.
|
|
65
|
+
|
|
66
|
+
## [3.1.0] — 2026-05-21
|
|
67
|
+
|
|
68
|
+
### Highlights — what's now possible
|
|
69
|
+
|
|
70
|
+
**Vibe coders can now run one command and get a prioritized list of what's actually broken about their project.**
|
|
71
|
+
|
|
72
|
+
- One MCP call, ~30 seconds: race conditions + security issues + memory leaks + logic errors + perf smells, prioritized by severity and confidence. Stays on your machine, no telemetry, no account.
|
|
73
|
+
- Two new analyzers: **`raceConditionAnalyzer`** catches the classic in-process race patterns (useState-after-await, missing AbortController, forEach-await, TOCTOU file ops, DispatchQueue races, Flow dispatcher mismatches, Go map races). **`securityAnalyzer`** catches hardcoded secrets (AWS / Stripe / GitHub / Google / JWT), SQL/XSS/SSRF/eval injection, weak crypto, CORS misconfig, cookie flags, yaml.load.
|
|
74
|
+
- Three new tools: **`diagnose_project`** (headline), **`detect_race_conditions`**, **`detect_security_issues`**. Tool count: 20 → 23.
|
|
75
|
+
- New MCP prompt **`vibe-check`** — usable as `/vibe-check <projectPath>` in Claude UI; tells Claude to call diagnose_project and format the result for the user with top findings, severity tags, and a concrete next-step suggestion.
|
|
76
|
+
- Composes naturally with v3.0.0's iterate-fix loop: `vibe-check` → `diagnose_project` → `autoFix: true` (or hand off to `run_iterative_fix_loop` for test-verified application).
|
|
77
|
+
- Five new fixtures (`tests/fixtures/race-react`, `tests/fixtures/security-node`) and 58 new tests lock in the analyzer behavior — total tests 52 → 110.
|
|
78
|
+
|
|
79
|
+
### Added
|
|
80
|
+
|
|
81
|
+
- `diagnose_project` tool (`src/tools/automation/diagnoseProject.ts`) — parallel multi-analyzer scan with per-check 60s timeout, severity threshold filter, summary/detailed/json output modes, and a vibe-friendly Markdown summary ready to paste into chat.
|
|
82
|
+
- `detect_race_conditions` tool — stand-alone race-condition analyzer.
|
|
83
|
+
- `detect_security_issues` tool — stand-alone security analyzer.
|
|
84
|
+
- `src/analyzers/raceConditionAnalyzer.ts` — JS/TS/Swift/Kotlin/Go race-condition patterns with severity, confidence, recommendation, and (where safe) `autoFixable: true`.
|
|
85
|
+
- `src/analyzers/securityAnalyzer.ts` — secret regex + code-pattern AST-style detection + `.env`-vs-`.gitignore` hygiene check + snippet redaction so the report itself doesn't leak secrets.
|
|
86
|
+
- `prompt://test-genie/vibe-check` — `/vibe-check <projectPath>` slash command for Claude UI; arguments: `projectPath` (required), `focus` (`security` / `race` / `all`).
|
|
87
|
+
- `tests/fixtures/race-react/` — broken React project (useState-after-await race, useEffect missing AbortController, forEach-await, TOCTOU).
|
|
88
|
+
- `tests/fixtures/security-node/` — broken Node app (AWS key, GitHub PAT, JWT secret, SQL injection, eval, Math.random for tokens, md5, exec injection, CORS wildcard+credentials, cookie without flags, SSRF).
|
|
89
|
+
- `tests/raceConditionAnalyzer.test.ts`, `tests/securityAnalyzer.test.ts`, `tests/diagnoseProject.test.ts` — 58 new tests (positive + negative + fixture integration).
|
|
90
|
+
|
|
91
|
+
### Changed
|
|
92
|
+
|
|
93
|
+
- `SERVER_VERSION` 3.0.0 → 3.1.0.
|
|
94
|
+
- README leads with the **vibe-coders quickstart** (sample output included). New "What gets caught" / "What gets missed" / "vs alternatives" sections.
|
|
95
|
+
- Tool registry display order: vibe-check trio appended after existing 20 tools so backwards-compatible clients keep the same first-20 indices.
|
|
96
|
+
|
|
97
|
+
### Backwards compatibility
|
|
98
|
+
|
|
99
|
+
- All 20 v3.0.0 tools still present, unchanged behavior. v3.0.0 clients work without modification.
|
|
100
|
+
- Capability counts in `tools/list`: tools 20 → 23, prompts 2 → 3. Resources unchanged at 4.
|
|
101
|
+
|
|
102
|
+
### Contributors
|
|
103
|
+
|
|
104
|
+
- Self (Claude Opus 4.7, 1M context) — co-author on the v3.1.0 vibe-check implementation.
|
|
105
|
+
|
|
106
|
+
## [3.0.0] — 2026-05-20
|
|
107
|
+
|
|
108
|
+
### Highlights — what's now possible
|
|
109
|
+
|
|
110
|
+
This release flips test-genie from "test runner with auto-fix" into a **self-healing test loop**.
|
|
111
|
+
|
|
112
|
+
- **One MCP call** drives test → detect → fix → re-test → converge. Regressions roll back automatically. Hitting `maxIterations` or a timeout returns a `resumeToken` so you can pick up later.
|
|
113
|
+
- **Strong syntax validation** before any patch lands: TypeScript compiler API for TS/JS, platform compilers (`swiftc`, `kotlinc`, `javac`, `dart analyze`) for native code, brace-balance fallback with `downgraded: true` flagging.
|
|
114
|
+
- **Optional LLM-backed fix proposals** when rule-based confidence is low. SDKs are `optionalDependencies`, so `npm install test-genie-mcp` stays slim — set `ANTHROPIC_API_KEY` or `OPENAI_API_KEY` to opt in.
|
|
115
|
+
- **McpServer high-level API**: the 700-line `switch` in v2.x `src/index.ts` is gone. Tools live in a declarative registry; entry-point boilerplate is ~30 lines.
|
|
116
|
+
- **Subprocess hardening sweep**: every platform integration (iOS, Android, Flutter, React Native, web) now goes through `spawn(cmd, argv[])` with an executable allowlist and per-argument regex validation. The old `execAsync('… ${user-input} …')` pattern is gone.
|
|
117
|
+
- **MCP resources + prompts**: 4 resources (iteration logs index + 3 templated views) and 2 prompts (`full-test-pipeline`, `diagnose-failure`).
|
|
118
|
+
- **Self-test corpus**: 5 mini-broken fixture projects (RN, web, Flutter, iOS, Android) drive integration tests of the iterate-fix loop. CI gates coverage on the core surface.
|
|
119
|
+
|
|
120
|
+
### Added
|
|
121
|
+
|
|
122
|
+
- `run_iterative_fix_loop` tool — the headline feature. Safe defaults (`autoApply: false`, `maxIterations: 5`, `strategy: 'hybrid'`). Returns structured iteration logs.
|
|
123
|
+
- `core/syntaxValidator.ts` — TS compiler API + platform-compiler fallback chain.
|
|
124
|
+
- `core/subprocess.ts` — `runProcess` + `spawnBackground` helpers that enforce the executable allowlist and argv-array discipline.
|
|
125
|
+
- `core/toolRegistry.ts` + `core/mcpServerFactory.ts` — single source of truth for all 20 tools, 4 resources, 2 prompts.
|
|
126
|
+
- `core/resources.ts` — MCP resource handlers for test history, iteration logs, applied fixes.
|
|
127
|
+
- `core/prompts.ts` — `full-test-pipeline` and `diagnose-failure` prompt templates.
|
|
128
|
+
- `llm/index.ts` + `tools/fixing/llmFixSuggester.ts` — Anthropic / OpenAI fallback (provider auto-detect mirrors error-doctor-mcp).
|
|
129
|
+
- `storage/iteration-logs.json` — persisted loop history (last 200 across all projects).
|
|
130
|
+
- `tests/` — 6 suites, 52 tests: security regression, syntax validator, iterate-loop fixture convergence, registry shape, LLM detection, per-tool happy/error.
|
|
131
|
+
- `tests/fixtures/{react-native-app,web-app,flutter-app,ios-app,android-app}/` — deliberately-broken mini projects.
|
|
132
|
+
- `docs/ITERATE_FIX_LOOP.md`, `docs/SIMULATION_VS_REAL.md`.
|
|
133
|
+
- Env vars: `TEST_GENIE_LLM_PROVIDER`, `TEST_GENIE_STORAGE_DIR`, `TEST_GENIE_ANTHROPIC_MODEL`, `TEST_GENIE_OPENAI_MODEL`.
|
|
134
|
+
- npm `optionalDependencies`: `@anthropic-ai/sdk`, `openai`.
|
|
135
|
+
|
|
136
|
+
### Changed
|
|
137
|
+
|
|
138
|
+
- `src/index.ts` shrunk from 737 lines to ~30. All tool dispatch lives in `core/toolRegistry`.
|
|
139
|
+
- `apply_fix` now uses `core/syntaxValidator.validateSyntax` instead of the v2.x brace-counter. Drop-in compatible — the caller-facing shape `{ valid, error }` is unchanged.
|
|
140
|
+
- `ALLOWED_EXECUTABLES` (in `src/security.ts`) gains `swiftc`, `kotlinc`, `javac`, `lighthouse`, `k6`, `where`, `which` to support the new syntax validator and web platform integrations.
|
|
141
|
+
- Platform files (`src/platforms/{ios,android,flutter,react-native,web}/index.ts`) refactored to use `runProcess(cmd, [args])` — no more shell concatenation.
|
|
142
|
+
- Tool descriptions now include a `[mode: simulated | real | hybrid]` tag for execution-mode clarity.
|
|
143
|
+
|
|
144
|
+
### Fixed
|
|
145
|
+
|
|
146
|
+
- `run_full_automation` no longer silently shells out user-controlled `scheme`, `device`, `testPath`, etc. — these are validated against allowlist regexes before reaching `spawn`.
|
|
147
|
+
|
|
148
|
+
### Security
|
|
149
|
+
|
|
150
|
+
- ~30 `execAsync(commandStr)` call sites across platform integrations replaced with hardened `runProcess(cmd, [argv])` equivalents. See `SECURITY.md` § Phase 5 subprocess audit.
|
|
151
|
+
- Per-arg shell-metacharacter rejection extended to all `runProcess` paths even when `skipAllowlist: true` (for the few legitimate `sh -c` cases).
|
|
152
|
+
- New tests in `tests/security.test.ts` lock in the hardening so future refactors can't silently weaken it.
|
|
153
|
+
|
|
154
|
+
### Breaking changes
|
|
155
|
+
|
|
156
|
+
- **`run_full_automation` option rename.** `confirmMode` is *deprecated*; use `autoApply: boolean` instead. The v2.x option is still accepted for backwards compat — `confirmMode: 'auto'` is equivalent to `autoApply: true`.
|
|
157
|
+
- Migration: replace
|
|
158
|
+
```jsonc
|
|
159
|
+
{ "confirmMode": "auto", "autoFix": true }
|
|
160
|
+
```
|
|
161
|
+
with
|
|
162
|
+
```jsonc
|
|
163
|
+
{ "autoApply": true }
|
|
164
|
+
```
|
|
165
|
+
- **Platform tool subprocess hardening.** Identifier arguments (`scheme`, `device`, `package`, `testClass`, …) are now validated against `^[A-Za-z0-9._-]+$` (or a slightly looser regex for fields like `destination`). Calls that previously passed values containing spaces, semicolons, or backticks will now be rejected with `ToolError(code='COMMAND_INJECTION')`. Sanitize at the caller — most real values already match.
|
|
166
|
+
- **Server identity bumped to `test-genie-mcp v3.0.0`** in the MCP `initialize` response. Clients pinning on `"version": "2.x"` need to relax the constraint.
|
|
167
|
+
|
|
168
|
+
### Contributors
|
|
169
|
+
|
|
170
|
+
- Self (Claude Opus 4.7, 1M context) — co-author on the Phase 5 implementation.
|
|
171
|
+
|
|
172
|
+
## [2.1.0] — 2026-05-20
|
|
173
|
+
|
|
174
|
+
### Phase 1 — Production-quality baseline
|
|
175
|
+
|
|
176
|
+
This release lays the safe foundation before the deeper Phase 5 work on the
|
|
177
|
+
iterate-fix-test loop. See [`MIGRATION.md`](MIGRATION.md) for the full list of
|
|
178
|
+
Phase 5 deferrals.
|
|
179
|
+
|
|
180
|
+
#### Added
|
|
181
|
+
- **Capabilities-based path safety**: every `projectPath` tool argument is
|
|
182
|
+
validated against `TEST_GENIE_ALLOWED_ROOT` (defaults to `process.cwd()`).
|
|
183
|
+
Tools fail closed with a structured `ToolError(code='PATH_TRAVERSAL')`
|
|
184
|
+
when called outside the allowed root.
|
|
185
|
+
- **Security utilities** (`src/security.ts`): `validatePathWithinAllowedRoot`,
|
|
186
|
+
`validateCommandArg`, `validateCommand`, `ToolError` class, and an
|
|
187
|
+
`ALLOWED_EXECUTABLES` allow-list for future subprocess hardening.
|
|
188
|
+
- **GitHub Actions CI** (`.github/workflows/ci.yml`): Node 20, `npm ci`,
|
|
189
|
+
type-check + build, tests when configured.
|
|
190
|
+
- **GitHub Actions Release** (`.github/workflows/release.yml`): tag-triggered
|
|
191
|
+
`npm publish` with provenance.
|
|
192
|
+
- **`SECURITY.md`**: capability boundaries, threat model, and Phase 5 plan.
|
|
193
|
+
- **`MIGRATION.md`**: Phase 1 / Phase 5 boundary documentation.
|
|
194
|
+
|
|
195
|
+
#### Changed
|
|
196
|
+
- **MCP SDK** `@modelcontextprotocol/sdk` `^1.0.0` → `^1.25.0` (resolves to
|
|
197
|
+
1.29.0). No breaking changes on the low-level `Server` API surface used by
|
|
198
|
+
test-genie. Full `McpServer` high-level refactor deferred to Phase 5.
|
|
199
|
+
- **Server version** advertised to MCP clients bumped `2.0.0` → `2.1.0`.
|
|
200
|
+
- **React Native Metro start** (`src/platforms/react-native/index.ts`)
|
|
201
|
+
refactored from `exec(\`cd "\${projectPath}" && npx react-native start\`)`
|
|
202
|
+
to `spawn('npx', ['react-native', 'start', '--reset-cache'], { cwd })`.
|
|
203
|
+
This was the one direct command-injection sink touching a user-supplied
|
|
204
|
+
path; remaining `execAsync(commandStr)` patterns are documented for
|
|
205
|
+
Phase 5 refactor in `SECURITY.md`.
|
|
206
|
+
- **npm package `files` whitelist** tightened: only `dist/`, `templates/`,
|
|
207
|
+
`README.md`, `SECURITY.md`, `LICENSE`, `CHANGELOG.md` are shipped.
|
|
208
|
+
|
|
209
|
+
#### Security
|
|
210
|
+
- Path traversal hardening on all 19 tools.
|
|
211
|
+
- One direct command-injection sink removed.
|
|
212
|
+
- Allow-listed executable model defined for Phase 5 enforcement.
|
|
213
|
+
|
|
214
|
+
---
|
|
215
|
+
|
|
216
|
+
## [2.0.3] — prior baseline
|
|
217
|
+
|
|
218
|
+
State of the repository before Phase 1 work began.
|
|
219
|
+
|
|
220
|
+
- 19 MCP tools across analysis / execution / detection / fixing / automation.
|
|
221
|
+
- `@modelcontextprotocol/sdk ^1.0.0`.
|
|
222
|
+
- Low-level `Server` + giant switch pattern in `src/index.ts`.
|
|
223
|
+
- No CI, no Dockerfile, no tests (jest installed but empty test dir).
|
|
224
|
+
- npm-published as `test-genie-mcp`. MCP Registry-listed.
|
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2025 Yoonkyoung Gong (MUSE-CODE-SPACE)
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|